TOrPEDO: witnessing model correctness with topological proofs

Abstract

Model design is not a linear, one-shot process. It proceeds throughrefinements and revisions. To effectively support developers ingenerating model refinements and revisions, it is desirable to havesome automated support to verify evolvable models. To address thisproblem, we recently proposed to adopt topological proofs,which are slices of the original model that witness propertysatisfaction. We implemented TOrPEDO, a framework that providesautomated support for using topological proofs during model design.Our results showed that topological proofs are significantly smallerthan the original models, and that, in most of the cases, they allowthe property to be re-verified by relying only on a simple syntacticcheck. However, our results also show that the procedure thatcomputes topological proofs, which requires extracting unsatisfiablecores of LTL formulae, is computationally expensive. For thisreason, TOrPEDO currently handles models with a small dimension. Withthe intent of providing practical and efficient support for flexiblemodel design and wider adoption of our framework, in this paper, wepropose an enhanced—re-engineered—version of TOrPEDO. The newversion of TOrPEDO relies on a novel procedure to extracttopological proofs, which has so far represented the bottleneck ofTOrPEDO performances. We implemented our procedure within TOrPEDO byconsidering Partial Kripke Structures (PKSs) and Linear-timeTemporal Logic (LTL): two widely used formalisms to express modelswith uncertain parts and their properties. To extract topologicalproofs, the new version of TOrPEDO converts the LTL formulae into anSMT instance and reuses an existing SMT solver (e.g., MicrosoftZ3) to compute an unsatisfiable core. Then, theunsatisfiable core returned by the SMT solver is automaticallyprocessed to generate the topological proof. We evaluated TOrPEDO byassessing (i) how does the size of the proofs generated by TOrPEDOcompares to the size of the models being analyzed; and (ii) howfrequently the use of the topological proof returned by TOrPEDOavoids re-executing the model checker. Our results show that TOrPEDOprovides proofs that are smaller (approx 60%) than theirrespective initial models effectively supporting designers increating model revisions. In a significant number of cases (approx 79%), the topological proofs returned by TOrPEDO enable assessingthe property satisfaction without re-running the model checker. Weevaluated our new version of TOrPEDO by assessing (i) how it comparesto the previous one; and (ii) how useful it is in supporting theevaluation of alternative design choices of (small) model instancesin applied domains. The results show that the new version of TOrPEDOis significantly more efficient than the previous one and cancompute topological proofs for models with less than 40 stateswithin two hours. The topological proofs and counterexamplesprovided by TOrPEDO are useful to support the development ofalternative design choices of (small) model instances in applieddomains.